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Abstract 

Non-trivial analysis problems require posets with infinite ascending and descend¬ 
ing chains. In order to compute reasonably precise post-fixpoints of the resulting 
systems of equations, Cousot and Cousot have suggested accelerated fixpoint it¬ 
eration by means of widening and narrowing (Cousot and Cousot, 1976, 1977a). 

The strict separation into phases, however, may unnecessarily give up preci¬ 
sion that cannot be recovered later, as over-approximated interim results have 
to be fully propagated through the equation the system. Additionally, classical 
two-phased approach is not suitable for equation systems with infinitely many 
unknowns—where demand driven solving must be used. Construction of an in¬ 
tertwined approach must be able to answer when it is safe to apply narrowing— 
or when widening must be applied. In general, this is a difficult problem. In case 
the right-hand sides of equations are monotonic, however, we can always apply 
narrowing whenever we have reached a post-fixpoint for an equation. The as¬ 
sumption of monotonicity, though, is not met in presence of widening. It is also 
not met by equation systems corresponding to context-sensitive inter-procedural 
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analysis, possibly combining context-sensitive analysis of local information with 
flow-insensitive analysis of globals (Apinis et ah, 2012). 

As a remedy, we present a novel operator B that combines a given widening 
operator U with a given narrowing operator n. We present adapted versions of 
round-robin as well as of worklist iteration, local and side-effecting solving algo¬ 
rithms for the combined operator B and prove that the resulting solvers always 
return sound results and are guaranteed to terminate for monotonic systems 
whenever only hnitely many unknowns (constraint variables) are encountered. 
Practical remedies are proposed for termination in the non-monotonic case. Be¬ 
yond that, we also discuss extensions of the base local solver that allow to further 
enhance precision such as localized application of the operator B and restarting 
of the iteration for subsets of unknowns. 

Keywords: Static Program Analysis, Fixpoint Iteration, Constraint Solving, 
Widening and Narrowing, Termination 


1. Introduction 

From an algorithmic point of view, static analysis typically boils down to 
solving systems of equations over a suitable domain of values. The unknowns 
of the system correspond to the invariants to be computed, e.g., for each pro¬ 
gram point or for each program point in a given calling context or instance 
of a class. For abstract interpretation, often complete lattices are chosen as 
domains of (abstract) values (Cousot and Cousot, 1977a). Practically, though, 
partial orders can be applied which are not necessarily complete lattices—given 
only that they support an effective binary upper bound operation. This is the 
case, e.g., for polyhedra (Cousot and Halbwachs, 1978) or zonotopes (Ghorbal 
et ah, 2009). Still, variants of Kleene iteration can be applied to determine 
solutions. Right from the beginning of abstract interpretation, it also has been 
observed that many interesting invariants are best expressed by domains that 
have infinite strictly ascending chains. Possibly infinite strictly ascending chains, 
though, imply that naive Kleene iteration may not terminate. For that reason. 
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Cousot and Cousot proposed a widening iteration to obtain a valid invariant or, 
technically speaking, a post solution which snbsequently may be improved by 
means of a narrowing iteration (Cousot and Cousot, 1976, 1992b). The widen¬ 
ing phase can be considered as a Kleene iteration that is accelerated by means 
of a widening operator to enforce that only finitely many increases of values 
occur for every unknown. While enforcing termination, it may result in a crude 
over-approximation of the invariants of the program. In order to compensate for 
that, the snbsequent narrowing iteration tries to improve a given post solution 
by means of a downward fixpoint iteration, which again may be accelerated, in 
this case by means of a narrowing operator. 

Trying to recover precision once it has been thrown away, though, in general 
is not possible (see, e.g., (Halbwachs and Henry, 2012) for a recent discussion). 
Some attempts try to improve precision by reducing the number of points where 
widening is applied (Cousot, 1981; Bourdoncle, 1993), while others rely on re- 
hned widening or narrowing operators (see, e.g., (Simon and King, 2006; Cortesi 
and Zanioli, 2011)). Recently, several authors have focused on methods to guide 
or stratify the exploration of the state space (Gopan and Reps, 2007, 2006; Gula- 
vani et ah, 2008; Monniaux and Guen, 2011; Henry et ah, 2012b), 

including techniques for automatic transformation of irregular loops (Gul- 
wani et ah, 2009; Sharma et ah, 2011) or by restricting the use of widening to 
relevant parts of the program state only (Halbwachs and Henry, 2012). 

Our approach here at least partly encompasses those in (Gousot, 1981; Bour¬ 
doncle, 1993) while it is complementary to the other techniques and can, pos¬ 
sibly, be combined with these. Our idea is to avoid to postpone narrowing to 
a second phase where all losses of information have already occurred and been 
propagated. Instead, an attempt is made to systematically improve the current 
information immediately by downward iterations. This means that increasing 
and decreasing iterations are applied in an interleaved manner. A similar idea 
has already applied in syntax-directed fixpoint iteration engines as, e.g., in the 
static analyzers Astree (Blanche! et ah, 2003; Cousot et ah, 2007) and Jandom 
(Amato and Scozzari, 2013). In order to enforce termination, ad-hoc techniqnes 
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such as restrictions to the number of updates are applied. Here, we explore such 
iteration strategies in a generic setting and provide sufficient conditions when 
particular fixpoint algorithms are guaranteed to terminate. 

The original formulation of narrowing as considered in (Cousot and Cousot, 
1976, 1992b), requires right-hand sides of equations to be monotonic so that the 
improving second iteration phase is guaranteed to be downward. Accordingly, 
the narrowing operator is only guaranteed to return meaningful results when 
applied in decreasing sequences of values. As we concentrate to the algorithmic 
side, we refer to these original notions of narrowing, opposed to the more elabo¬ 
rate notions of (Cousot and Cousot, 1992a) which additionally take the concrete 
semantics of the system to be analyzed into account. Still, the assumption of 
monotonicity of right-hand sides, even dis-regarding the occurrences of widen¬ 
ing and narrowing operators, may not always be met. So, monotonicity can no 
longer be guaranteed, when compiling context-sensitive inter-procedural analy¬ 
sis into systems of equations (Fecht and Seidl, 1999; Apinis et ah, 2012). More¬ 
over, the resulting equation systems may be infinite and thus can be handled 
by local solvers only. Local solvers query the value of an interesting unknown 
and explore the space of unknowns only as much as required for answering the 
query. For this type of algorithm, the set of unknowns to be evaluated is not 
known beforehand. Accordingly, the values of unknowns may be queried in the 
narrowing phase that have not yet been encountered before. As a consequence, 
the rigid two-phase iteration strategy of one widening iteration followed by one 
narrowing iteration can no longer be maintained. 

In order to cope with these obstacles, we introduce an operator B which is 
a generic combination of a given widening U with a given narrowing operator 
n and show that this new operator can be plugged into any generic solver 
of equation systems, be they monotonic or non-monotonic. The B operator 
behaves like narrowing as long as the iteration is descending, and like widening 
otherwise. As a result, solvers are obtained that return reasonably precise post 
solutions in one go—given that they terminate. 
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Termination, though, is indeed an issue. We present two simple example 
systems of monotonic equations where standard fixpoint algorithms such as 
round robin or work-list iteration, when enhanced with the new operator, fail to 
terminate. Therefore, we develop a variant of round robin as well as a variant of 
work-list iteration which in absence of widening and narrowing are not or at least 
not much worse than their standard counter parts—but which additionally are 
guaranteed to terminate when the S-operator is applied to monotonic systems. 

The idea of plugging the new operator B into a generic local solver works 
as well. A local solver such as (Hofmann et ah, 2010a), however, is not generic 
in the sense of the present paper—meaning that a naive enhancement with the 
operator B is no longer guaranteed to return sound results. As our main contri¬ 
bution, we therefore present a variation of this algorithm which always returns 
a (partial) post solution and, moreover, is guaranteed to terminate—at least for 
monotonic equation systems and if only finitely many unknowns are encountered. 
This algorithm relies on self-observation not only for identifying dependencies 
between unknowns on the fly, but also to determine a suitable prioritization of 
the unknowns. This vanilla version of a local iterator then is extended to cope 
with the losses in precision detected in (Amato and Scozzari, 2013). We present 
novel techniques for localizing the use of the operator B to loop heads only. 
These loop heads are dynamically detected and recomputed depending on the 
status of the fixpoint computation. Interestingly, dynamically recomputing loop 
heads during fixpoint computation increases precision significantly. As another 
improvement, we also considered to dynamically restart the iteration for sub¬ 
sets of unknowns during a narrowing sub-iteration. These algorithms then are 
extended to solvers for side-effecting constraint systems. Side-effecting systems 
allow to conveniently specify analyses that combine context-sensitive analysis 
of local information with flow-insensitive analysis of globals (Apinis et ah, 2012) 
as provided, e.g., by the program analyzer Goblint (Vojdani and Vene, 2009). 
Since the different contributions to a global unknown are generated during the 
evaluation of a subset of right-hand sides, which is not known before-hand and 
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may vary during fixpoint iteration, further non-trivial changes are required to 
handle this situation. 

The obstacle remains that termination guarantees in presence of unrestricted 
non-monotonicity cannot be given. We attack this obstacle by two means. By 
practical experiments, we provide evidence that our iterator as is, not only 
terminates but is reasonably efficient — at least for the equation systems of 
an inter-procedural interval analysis of several non-trivial real-world programs. 
Secondly, we remark that, globally and irrespective of accidental experiments, 
termination can be guaranteed by bounding for each unknown the number of 
switches from narrowing back to widening, or, more smoothly, to apply more 
and more aggressive narrowing operators. Note that this family of restrictions 
is more liberal than restricting the number of updates of each unknown directly. 

The rest of the paper is organized as follows. In Section 2, we present the 
concept of generic solvers. In Section 3, we show that any such solver, when 
instantiated with B, returns a post solution of an arbitrary equation system 
(be it monotonic or not) whenever the solver terminates. In order to enforce 
termination at least for finite systems of monotonic equations, we provide in 
Section 4 new generic variants of round-robin iteration as well as of work-list 
based fixpoint computation. Section 5 introduces the new generic local B-solver 
SLR, which is subsequently enhanced with localization of B (Section 6) and 
restarting (Section 7). All three local solvers then are generalized to equation 
systems with side effects in Section 8. In section 9, we compare the local solvers 
w.r.t. to precision and efficiency within the analyzer framework Goblint and 
conclude in Section 11. 

Sections 2 to 5 and the first part of section 8 are based on (Apinis et ah, 
2013). The extension of ordinary and generic local solving provided in Sections 6 
and 7, as well as the second half of Section 8 are new. Also the experimental 
evaluation in Section 9 has been redone completely. 
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2. Chaotic fixpoint iteration 


Consider a system S of equations x = fx, for a set of unknowns x G X, and 
over a set ID of values where the right-hand sides fx are mappings (X ID) —>■ ID. 
Furthermore, let □: ID -5- D -5- ID be a binary operator to combine old values 
with the new contributions of the right-hand sides. 

A D-solution of S is an assignment p : X ^ H such that for all unknowns 

X € A, 

p[x\ = p[x\UfxP. 

In the case that □ is defined as a □ 6 = 5, a D-solution is an ordinary solution of 
the system, i.e., a mapping p with p[x\ = fx P for all unknowns x. 

Most of the time D is a directed set, i.e., a poset such that for each pair of 
elements a, & G ID, there exists an upper bound z such that z □ a and z □ 5. We 
denote by alJ& a generic upper bound of a and b. In case D is a directed set, and 
the D-operator is an upper bound, a D-solution is a post solution of the system, 
i.e., a mapping p with p[x\ ^ fx p for all unknowns x. Likewise in case D is a 
downward-directed set and □ is a lower bound, a D-solution is a pre solution of 
the system, i.e., a mapping p with p[x\ Q fx P for all unknowns x. 

The operator D can also be instantiated with widening and narrowing op¬ 
erators. According to (Cousot and Cousot, 1976, 1977a, 1992b), a widening 
operator U for a poset ID must satisfy that a Q aU b, b Q aU b for all a, 6 € D, 
and any widening sequence cannot be strictly ascending. This implies that a 
U-solution then again provides a post solution of the original system S. The 
situation is slightly more complicated for narrowing operators. For a narrow¬ 
ing operator D, a □ 6 implies that a □ (a D 5) □ 6 and any narrowing sequence 
cannot be strictly descending. This means that narrowing can only be applied 
if the right-hand side of equations are guaranteed to return values that are less 
than or equal to the values of the current left-hand sides. Thus a mapping p 
can only be a n-solution if it is a post solution of the system. 

A (chaotic) solver for systems of equations is an algorithm that maintains 
a mapping p : A —>■ D and performs a sequence of update steps, starting from 
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do 

dirty <— false] 
foreach x & X 6o 

new ^ p[x\ □ p-, 

if p\x\ ^ new then 
p[x\ ^ new; 
dirty 4— true] 
while (dirty) 

Figure 1: The solver RR. 


\N i- X] 

while W 7 ^ 0 do 

X -ir- extract(W); 
new <- p[x] □ fx p] 

if p\x\ 7 ^ new then 
p[x\ ^ new; 

W ^ W UinfU 

done 

Figure 2; The Solver W. 


an initial mapping po- Each update step selects an unknown x, evaluates the 
right-hand side fx of x w.r.t. the current mapping pi and updates the value for 
X, i.e., 

\pi[x\ufxPi, \ix = y 
P^+l[y\ = < 

I Pi [y], otherwise. 

Then the algorithm is a ^solver if upon termination the final mapping (after 
completing n steps) p„ is a D-solution of S. The algorithm is a generic solver 
if it works for any binary update operator □. In this sense, the round-robin 
iteration of Fig. 1 is a generic solver. Note that, in most cases, we omit update 
step indices and, additionally, use imperative assignment syntax of the form 
p[x\ ^ w to change the value of the unknown x to ru in the mapping p. 

In order to prove that a given algorithm is a generic solver, i.e., upon ter¬ 
mination returns a ^solution, one typically verifies the invariant that for every 
terminating run of the algorithm producing the sequence po, pi,..., pn of map¬ 
pings, and every unknown x, Pi[x\ 7 ^ Pi[x\ D/r Pi implies that for some j > f, an 
update p 7 +i[x] = pj[x\u fx Pj occurs. 

Not every solver algorithm, though, may consider right-hand sides of equa¬ 
tions as black boxes, as the round-robin algorithm does. The worklist algorithm 
from Fig. 2 can only be used as generic solver—given that all dependences are 
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provided before-hand. This means that for each right-hand side fx a (super-)set 
dep^ of unknowns is given such that for all mappings p, p', fx P = fx p' whenever 
p and p' agree on all unknowns in dep^. From these sets, we define the sets inflj, 
of unknowns possibly influenced by (a change of the value of) unknown y, i.e., 

inflj^ = {x&X\y& dep,,} U {y} . 

In the case that the value of some unknown y changes, all right-hand sides of 
unknowns in the set inflj^ must be re-computed. Note that whenever an update 
to an unknown y provides a new value, we re-schedule y for evaluation as well. 
This is a precaution for the case that the operator □ is not (right) idempotent. 
Here, an operator □ is called idempotent if the following equality: 

{aOb)ub = aOb 

holds for all a, b. In this sense, the operators U and n are idempotent and often 
also U and n. An operator such as 2^, however, for a, & G R is not idempotent. 


3. Enhancing Narrowing 


First, we observe: 


Fact 1. Assume that all right-hand sides of the system S of equations over a 
poset D are monotonie and that po is a post solution of S, and O is a narrowing 
operator n. Then the sequence po,pi,... of mappings produeed by a generic 
O-solver, is defined and decreasing. ■ 


Thus, any generic solver can be applied to improve a post solution by means of a 
narrowing iteration—given that all right-hand sides of equations are monotonic. 


Equation systems for context-sensitive inter-procedural analysis, though, are 
not necessarily monotonic. In the following we show how to lift the technical 
restrictions to the applicability of narrowing. Given a widening operator U and 
a narrowing operator n, we define a new binary operator B by: 


aSb = 


{ aH 6, 

aU 6, 


if & C o 
otherwise. 
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Note that the operator B is not necessarily idempotent, but whenever narrowing 
is idempotent the following holds: 

(a B 6) B 6 = (a B 6) n 6 

and therefore also 

((a B 6) B 6) B 6 = (a B 6) B b. 

A fixpoint algorithm equipped with the operator B applies widening as long as 
values grow. Once the evaluation of the right-hand side of a unknown results in 
a smaller or equal value, narrowing is applied and values may shrink. For the 
operator B, we observe: 

Lemma 1. Consider a finite system S of equations over a directed set D. Then 
every ^-solution p of S is a post solution, i.e., for all unknowns x, p[x\ □ /a;P. 

Proof. Consider a mapping p that is a B-solution of S and an arbitrary un¬ 
known X. For a contradiction assume that p[x\ 3 fxP- But then we have: 

p[x\ = p[x\mf,,p = p[x\uf,,p ^ fxP 

in contradiction to our assumption! Accordingly, p must be a post solution of 
the system of equations S. ■ 

Thus, every generic solver for directed sets ID can be turned into a solver com¬ 
puting post solutions by using the combined widening and narrowing operator. 
The intertwined application of widening and narrowing, which naturally occurs 
when solving the system of equations by means of B, has the additional ad¬ 
vantage that values may also shrink in-between. Improving possibly too large 
values, thus, may take place immediately resulting in overall smaller, i.e., bet¬ 
ter post solutions. Moreover, no restriction is imposed any longer concerning 
monotonicity of right-hand sides. 
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4. Enforcing termination 


For the new operator B, termination cannot generally be guaranteed for all 
solvers. In this section, we therefore present a modification of worklist iteration 
which is guaranteed to terminate—given that all right-hand sides of equations 
are monotonic. 

Example 2. Consider the system: 

Xi = X2 
X2 = 3^3 + 1 

X3 = XI 

with D = N U {oo}, the lattice of non-negative integers, equipped with the 
natural ordering C given by < and extended with oo. Consider a widening 
U where au6 = a if a = b and a U 6 = oo otherwise, together with a narrow¬ 
ing n where, for a >b, anb = b if a = oo, and an b = a otherwise. Round- 
robin iteration with the operator B for this system starting from the mapping 
po = {xi i-^ 0 ,X 2 '-^ 0 ,X 3 0}, will produce the following sequence of mappings: 



0 

1 

2 

3 

4 

5 


Xi 

0 

0 

CX) 

1 

OO 

2 


X2 

0 

oo 

1 

oo 

2 

oo 


X3 

0 

0 

OO 

1 

oo 

2 



Iteration does not terminate—although right-hand sides are monotonic. I 

A similar example shows that ordinary worklist iteration, enhanced with B, also 
may not terminate, even if all equations are monotonic. 

Example 3. Consider the two equations: 

xi = (xi -I- 1) n (x 2 -I- 1) 

X2 = ix2 + 1) n (xi -I- 1) 
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using the same lattiee as in Example 2 where n denotes minimum, i.e., the 
greatest lower bound. Assume that the work-set is maintained with a lifo dis- 
eipline. For W = [xi,X 2 ], worklist iteration, starting with the initial mapping 
Po = {xi 1-^ 0,X2 1-^ 0}, results in the following iteration sequenee: 


w 

lxi,X2] 

lxi,X2] 

lxi,X2] 

1X2] 

[X 2 ,xi] 

[X2,X2] 

[xi] 

lxi,X2] 


Xi 

0 

oo 

1 

1 

1 

1 

1 

OO 


X2 

0 

0 

0 

0 

OO 

2 

2 

2 



whieh does not terminate. I 


We present modified versions of the round-robin solver as well as the worklist 
solver for which termination can be guaranteed. The worst case complexity for 
the new round-robin solver turns out to be faster than ordinary round-robin iter¬ 
ation, even by a factor of 2. For the new worklist solver, theoretical complexity 
is at least not far away from the classical iterator. 

For both algorithms, we assume that we are given a fixed linear ordering 
on the set of unknowns so that X = {xi,..., x„}. The ordering will affect 
the iteration strategy, and therefore, as shown by Bourdoncle (1990), has a 
significant impact on performance. Hence, the linear ordering should be chosen 
in a way that innermost loops would be evaluated before iteration on outer loops. 
For unknowns Xi and the system of equations given by Xi = fi, for i = 1,... ,n, 
the new round-robin algorithm is shown in Fig. 3. 

Let us call the new algorithm SRR {strue- 


tured round-robin). For a given initial mapping 
Po, structured round-robin is started by calling 
solve n. The idea of the algorithm is, when called 
for a number i, to iterate on the unknown Xi un¬ 
til stabilization. Before every update of the un¬ 
known Xi, however, all unknowns Xj,j < i are re¬ 
cursively solved. Clearly, the resulting algorithm 
is a generic D-solver. 


void solve(f) { 
if i = 0 then return; 

solve(i—1); 
new p[xi] □ fi p-, 
if p\xi\ 7^ new then 
p[xi] t— new; 
solve(f); 

} 
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Figure 3: The new solver SRR. 



Recall that a poset D has height ft, if ft. is the 
maximal length of a strictly increasing chain do C 
di \Z ... dh- We find: 

Theorem 4. Consider a system of n equations over a directed set D where 
all right-hand sides are monotonic. Then the following holds for the algorithm 
SRR when started on any mapping: 

1. //D has bounded height ft and □ = U, then SRR terminates with a post¬ 
solution after at most n + ^n(n + 1) evaluations of right-hand sides fi. 

2. In presence of possibly unbounded ascending chains, when instantiated with 
□ = B, SRR terminates with a post-solution. 

The first statement indicates that SRR may favorably compete with ordinary 
round robin iteration in case that no widening and narrowing is required. The 
second statement, on the other hand, provides us with a termination guarantee 
— whenever only all right-hand sides are monotonic. 

Proof. Recall that ordinary round robin iteration for directed sets of bounded 
height performs at most ft • n rounds due to increases of values of unknowns plus 
one extra round to detect termination, giving in total 

n-\- h -n^ 

evaluations of right-hand sides. In contrast for structured round robin iteration, 
termination for unknown Xi requires one evaluation when solve i is called for 
the first time and then one further evaluation for every update of one of the 
unknowns ..., Xi+i. This sums up to ft • (n — i) -|- 1 evaluations throughout 
the whole iteration. This gives a overhead of 

" ft 

n -\- h ■ — i) = n -I- — ■ n • (n — 1) . 

Additionally, there are h-n evaluations that increase values. In total, the number 
of evaluations, therefore, is 

n-f — - n-ln — l)-|-ft-n = n-|- — - n-ln-l-l) 
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giving us statement 1. 

For the second statement, we proceed by induction on i. The case i = 0 
is vacuously true. For the inductive step, assume that i > 0 and for all j < z, 
solve j terminates for any mapping. To arrive at a contradiction, assume that 
solve z for the current mapping p does not terminate. First, consider the case 
where fi p returns a value smaller than p[xi]. Since SRR is a generic solver, 
we have for all j < z, p[xj\ = p[xj\ B fj p, implying that p[xj\ □ fj p for all 
j < i. After p{xi\ is updated, by monotonicity, it still holds that p[xj\ □ fj p 
for all j < i. Solving for the unknown z — 1 will only cause further descending 
steps, where B behaves like n. The subsequent iteration of solve z will produce 
a decreasing sequence of mappings. Since all decreasing chains produced by 
narrowing are ultimately stable, the call solve z will terminate—in contradiction 
to our assumption. 

Therefore, non-termination is only possible if during the whole run of solve z, 
evaluating fi p must always return a value that is not subsumed by p[xi\. Since 
all calls solve (z — 1) in-between terminate by the induction hypothesis, a strictly 
increasing sequence of values for Xi is obtained that is produced by repeatedly 
applying the widening operator. Due to the properties of widening operators, 
any such sequence is eventually stable—again in contradiction to our assumption. 
We thus conclude that solve i is eventually terminating. ■ 

Example 5. Recall the equation system, for which round-robin iteration did 
not terminate. With structured round-robin iteration, however, we obtain the 
following sequence of updates: 


i 


2 

1 

2 

1 

3 

2 

1 

Xi 

0 

0 

OO 

oo 

1 

1 

1 

oo 

X2 

0 

oo 

OO 

1 

1 

1 

OO 

oo 

X3 

0 

0 

0 

0 

0 

oo 

oo 

oo 


where the evaluations of unknowns not resulting in an update have been omitted. 
Thus, structured fix-point solving quickly stabilizes for this example. I 
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The idea of structured iteration can also be lifted to worklist iteration. Con¬ 


sider again a system Xi = fi, for z = 1,..., n, of equations. As for the ordinary 
worklist algorithm, we assume that for each right-hand side fi a (super-)set depj 
of unknowns is given, such that for all mappings p,p', fiP = fip' whenever p 
and p' agree on all unknowns in depj. As before for each unknown Xj, let infl^ 
denote the set consisting of the unknown Xj together with all unknowns influ¬ 
enced by Xj. Instead of a plain worklist, the modified algorithm maintains the 
set of unknowns to be reevaluated, within a priority queue Q. In every round, 
not an arbitrary element is extracted from Q — but the unknown with the least 
index. The resulting algorithm is presented in Fig. 4. 

Here, the function add inserts an element 


into the priority queue or leaves the queue 
unchanged if the element is already present. 
Moreover, the function extract_min removes 
the unknown with the smallest index from 
the queue and returns it as result. 

Let us call the resulting algorithm SW 
(structured worklist iteration). Clearly, the 
resulting algorithm is a generic solver for sys¬ 
tems of equations where the dependences be¬ 
tween unknowns are explicitly given. 


Q 0; 

for z = 1 to n do add Q xp, 
while Q 0 do 

Xi P- extract_min((5); 
new ^ p[x^] □ fi p\ 
if p\xi] new then 
p[xi] ^ new; 

foreach Xj G infl^ do 
add Q Xj 

done 


Example 6. Consider again the system 

t 1 o 04. 4. j 1T 4 -4 Figure 4: The new solver SW, 

from example 3. btructurea worklist itera- 

tion using B for this system results in the 

following iteration: 


Q 

lxi,X2] 

[X1,X2] 

[2:1,2^2] 

[2:2] 

12:1.2:2] 

[2:1,2:2] 

[2:2] 

D 

Xi 

0 

oo 

1 

1 

1 

(X) 

00 

(X) 

X2 

0 

0 

0 

0 

00 

00 

00 

00 


and thus terminates. I 


In general, we have: 
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Theorem 7. Assume the algorithm SW is applied to a system of equations 
over a directed set D and that each right-hand side is monotonic. 

1. Assume that the maximal length of a strictly ascending chain is bounded 
by h. When instantiated with □ = U, the algorithm terminates after at 
most h ■ N evaluations of right-hand sides where -^=X]r=i(2 + 

2. When instantiated with 0 = 3 and started on any mapping, the algorithm 
is guaranteed to terminate and, thus, always to return a post solution. 

The first statement of the theorem indicates that SW behaves complexity-wise 
like ordinary worklist iteration: in case that the directed set D has finite height, 
the only overhead to be paid for is an extra logarithmic factor for maintaining the 
priority queue. The second statement, perhaps, is more surprising: it provides 
us with a termination guarantee for arbitrary lattices and the operator S — 
whenever only all right-hand sides are monotonic. 

Proof. We proceed by induction on the number n of unknowns. The case 
n = 1 is true by definition of widening and narrowing. For the induction step 
assume that the assertion holds for systems of equations of n — 1 unknowns. 
Now consider a system of equations for a set X of cardinality n, and assume 
that Xn is the unknown which is larger than all other unknowns in X. 

For a contradiction assume that SW does not terminate for the system of 
equations for X. First assume that the unknown Xn is extracted from the queue 
Q only finitely many times, say k times where d is the last value computed for 
Xn. This means that after the last extraction, an infinite iteration occurs on the 
subsystem on the unknowns X' = X \ {n} where for Xr G X', the right-hand 
side is given by /' p = (p©{a;„ i—>■ d}). By inductive hypothesis, however, the 

algorithm SW for this system terminates — in contradiction to our assumption. 

Therefore, we may assume that the unknown Xn is extracted infinitely often 
from Q. Let pi,i G N, denote the sequence of mappings at these extractions. 
Since Q is maintained as a priority queue, we know that for all unknowns Xr with 
r < n, the inequalities pi[xr] 3 fr Pi hold. Let di = pi[xn]- If for any i, fn Pi E 
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di, the next value di+i for Xn then is obtained by di+i = di n /« Pi which is less 
or equal to pi. By monotonicity, this implies that in the subsequent iteration, the 
values for all unknowns Xr^r < n, may only decrease. The remaining iteration 
is a pure narrowing iteration and therefore terminates. In order to obtain an 
inhnite sequence of updates for z, we conclude that for no i, /„ C d^. Hence 
for every i, d^+i = diU Pi where di C dj+i. This, however, is impossible due 
to the properties of the widening operator. In summary, we conclude that Xn 
is extracted only finitely often from Q. Hence the hxpoint iteration terminates. 


The algorithm SW can also be applied to non-monotonic systems. There, how¬ 
ever, termination can no longer be guaranteed. In fact, the assumption of 
monotonicity is not a defect of our solvers SRR or SW, but inherent to any 
terminating hxpoint iteration which intertwines widening and narrowing. 

Example 8. Consider the single equation: 

X = if (x = 0) then 1 else 0 

over the lattice of naturals (with infinity) with aUb = oo whenever a < b and 
anb = b whenever a = oo. The right-hand side of this equation is not mono¬ 
tonic. An iteration, defined by Xq = 0 and x^+i = x^ B/x^ for i > 0 (f the 
right-hand side function of the equation) will produce the sequence: 

0—>oo—>- 0 ^ 00 ^ 0 ^ 00 —>■... 

and thus will not terminate. We conclude that in absence of monotonicity, we 
cannot hope for termination—at least, without further assumptions on the right- 
hand sides of the equations. M 

Still, there is one generic idea to enforce termination for all B-solvers and all 
monotonic or non-monotonic systems of equations. This idea is to equip each 
unknown with a separate counter that counts how often the solver has switched 
from narrowing back to widening. This number then may be taken into account 
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by the B-operator, e.g., by choosing successively less aggressive narrowing oper¬ 
ators rio, Hi,..and, ultimately, to give up improving the obtained values. The 
latter is achieved by dehning an^b = a for a certain threshold k. 

5. Local generic solvers 

Similar to generic solvers, we define generic local solvers. Use of local solvers 
can be considered if systems of equations are infeasibly large or even inhnite. 
Such systems are, e.g., encountered for context-sensitive analysis of procedural 
languages (Cousot and Cousot, 1977b; Apinis et ah, 2012). Local solvers query 
the system of equations for the value of a given unknown of interest and try to 
evaluate only the right-hand sides of those unknowns that are needed for answer¬ 
ing the query (Le Charlier and Van Hentenryck, 1992; Vergauwen et ah, 1994; 
Fecht and Seidl, 1999). For that, it seems convenient that the dynamic depen¬ 
dences between unknowns are approximated. For a mapping p, a set A' C A 
subsumes all dynamic dependences of a function / : (A —>■ D) U) (w.r.t. p) in 
the case that f p = f p' whenever p'\x' = p\x' ■ Such sets can be constructed on 
the fly whenever the function / is pure in the sense of (Hofmann et ah, 2010b). 

Essentially, purity for a right-hand side / means that evaluating / p for a 
mapping p operationally consists of a finite sequence of value lookups in p where 
the next unknown whose value has to be looked up may only depend on the 
values that have already been queried. Once the sequence of lookups has been 
completed, the hnal value is determined depending on the sequence of values 
and finally returned. 

In this case, the set A' can be chosen as the set of all variables y for which 
the value p y is queried when evaluating (an implementation of) the function / 
for the argument p. Let us denote this set by dep,j, p. 

A partial d-solution of an (infinite) system of pure equations S' is a set 
dom C A and a mapping p : dom ^ IS with the following two properties: 

1. p[x\ = p[x]ofx p for all X € dom; and 

2. dep,j, p C dom for all x G dom 


18 



In essence, this means that a partial D-solution is a D-solution of the subsystem 
of S restricted to unknowns in dom. 

Example 9. The following equation system (for n € N = 

y2n = max(?/y2„,n) 
y2n+l = y6n+4 

is infinite as it uses infinitely many unknowns, but has at least one finite partial 

max.-solution—the set dom = {j/i, y^, 2 / 4 } together with the mapping p = {yi 1 —>■ 2, 2/2 2, 2/4 1 —> 2} 

where dep^^^ p = { 2 / 4 }, dep^^^ p = { 222 } and dep^^^ p = { 2 / 4 , 2 / 2 }- ■ 

A local generic solver instantiated with an operator □, then, is an algorithm 
that, when given a system of pure equations S, an initial mapping po for all 
unknowns, and an unknown xq, performs a sequence of update operations that, 
upon termination, results in a partial D-solution (dom,p), such that xq G dom. 

In practice, when it is possible, po is chosen to map each unknown to the least 
element of the directed set. 

At first sight, it may seem surprising that such local generic solvers may 
exist. In fact, one such instance can be derived from the round-robin algorithm. 

For that, the evaluation of right-hand sides is instrumented in such a way that 
it keeps track of the set of accessed unknowns. Each round then operates on 
a growing set of unknowns. In the first round, just xq alone is considered. In 
any subsequent round all unknowns are added whose values have been newly 
accessed during the last iteration. 

A more elaborate algorithm for local solving is formalized by Hofmann et al. 

(2010a), namely the solver RLD, as shown in Figure 5. This algorithm has 
the benefit of visiting nodes in a more efficient order, first stabilizing innermost 
loops before iterating on outer loops. The global assignment infl : X ^ 2^ 
records, for each encountered unknown y, the set of unknowns x G dom with 
the following two properties: 

• the last evaluation of f^ has accessed the unknown y; 
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let rec solve x = 


if X ^ stable then 
stable stable U{a:}; 
tmp p[x\ U/a; (eval x)', 
if tmp ^ p\x\ then 
W 4— infl[a:]; 
p[x\ ■(— tmp; 
infl[a;] <— 0; 
stable stable \ W; 
foreach a: S W do solve x 
end 
end 

Figure 5: The solver RLD 


and eval x y = 
solve y, 

infl[y] ^ infl[y] U{a;}; 

p[y\ 

in 

stable ^ 0; 
infl ^ 0; 

P ^ Po', 
solve xq; 

P 

(Hofmann et al., 2010a). 


• since then, the value of the unknown y has not changed. 

The right-hand sides fx are not directly evaluated for the current mapping 
p, but instead for a helper function eval which in the end, returns values for 
unknowns. Before that, however, the helper function eval provides extra book¬ 
keeping of the encountered dependence between unknowns. In order to be able 
to track dependences between unknowns, the helper function eval receives as a 
first argument the unknown x whose right-hand side is under evaluation. The 
function eval first computes the best possible value for y by calling the procedure 
solve for y. Then eval records the fact that x depends on y, by adding x to the 
set infl[y]. Only then is the corresponding value p[y\ returned. 

The main fixpoint iteration is implemented by the procedure solve. It re¬ 
quires a set stable of unknowns such that, if x is in stable, a call to the procedure 
solve a; has been started and no unknowns influencing x have been updated. 

This algorithm correctly determines a post-solution of the set of equations 
upon termination. However, when enhanced with an operator □, it is not a 
generic solver in our sense, since it is not guaranteed to execute as a sequence 
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of atomic updates. Due to the recursive call to procedure solve at the beginning 
of eval, one evaluation of a right-hand side may occur nested into the evaluation 
of another right-hand side. Therefore, conceptually, it may happen that an 
evaluation of a right-hand side uses the values of unknowns from several different 
mappings pi from the sequence po, pi,..., pn, instead of the latest mapping p„. 
Accordingly, the solver RLD is not guaranteed to return a ^solution—even if 
it terminates. We therefore provide a variant of RLD where right-hand sides 
(conceptually) are executed atomically. 

Clearly, a local generic solver does not terminate if infinitely many unknowns 
are encountered. Therefore, a reasonable local solver will try to consider as few 
unknowns as possible. Our solver, thus, explores the values of unknowns by 
recursively descending into solving unknowns newly detected while evaluating a 
right-hand side. Certain equation systems, though, introduce infinite chains of 
dependences for the unknowns of interest. Those systems then cannot be solved 
by any local solver. Here, we show that the new solver is guaranteed to terminate 
for the operator B at least for equation systems which are monotonic and either 
finite or infinite but where only finitely many unknowns are encountered. 

Let us call the new solver, on Fig. 6, SLRi {structured local recursive solver). 
The new algorithm maintains an explicit set dom C A of unknowns that have 
already been encountered. Beyond RLD, it additionally maintains a counter 
count which counts the number of elements in dom, and a mapping key : dom —> 
Z that equips each unknown with its priority. Unknowns whose equations may 
possibly be no longer valid will be scheduled for reevaluation. This means that 
they are inserted into a global priority queue Q. 

As in the algorithm RLD, right-hand sides fx are evaluated for a helper 
function eval. The function eval first checks whether the unknown y is already 
contained in the domain dom of p. If this is not the case, y is first initialized 
by calling the procedure in it. Subsequently, the best possible value for y is 
computed by calling the procedure solve for y. 

Initialization of a fresh unknown y means that y is inserted into dom where 
it receives a key less than the keys of all other unknowns in dom. For that, the 
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let rec solve x = 
if X ^ stable then 
stable stable U {a;} 
tmp ^ p[x\ □ fx (eval x)', 
if tmp 7 ^ p\x\ then 
W infl[a;] U{a;}; 
foreach y G W do add Q y, 
p[x\ ^ tmp; 
infl[a:] ■(— 0; 
stable stable \ W; 
while (Q 7 ^ 0 ) A 

(min_key Q < key[a:]) do 
solve (extract_min Q); 

end 


and eval x y = 

if y ^ dom then 

init y, 
solve y, 

end; 

infl[?/] ^ infl[y] U{a:}; 

p[y\ 


stable ^ 0 ; infl ^ 0 ; 
p 0 ; dom 0 ; 

Q empty queue(); 
count ^ 0; init a;o; 
solve xq; 


P 

and init y = 
dom dom U {?/}; 
key[y] <— —count; 
count+ +; 

infl[y] ^ {y}; 
p[y\ ^ po[y\ 


Figure 6: The new solver SLRi. 
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variable count is used. Moreover, infl[ 2 /] and p\y\ are initialized with {y} and 
po[ 2 /]j respectively. Thus, the given function eval differs from the corresponding 
function in RLD in that solve is recursively called only for fresh unknowns, and 
also in that every unknown y always depends on itself. 

The main fixpoint iteration is implemented by the procedure solve. When 
solve is called for an unknown x, we assume that there is currently no un¬ 
known x' € dom with key[a;'] < key[a;] that violates its equation, i.e., for which 
p\x'] p\x'] □ fx' P holds. In the procedure solve for x, the call min_key Q 

returns the minimal key of an element in Q, and extract_min Q returns the 
unknown in Q with minimal key and additionally removes it from Q. Besides 
the global priority queue Q, the procedure solve also requires the set stable as 
for RLD. Due to the changes in eval and the fact that x is always added to W 
during the execution of solve a;, at each call of the procedure solve, if a: G stable 
then either 

• a call to the procedure solve a; has been started and the update of p\x'] 
has not yet occurred; or 

• the equality p[x\ = p[x\ □ fxP holds. 

The new function solve essentially behaves like the corresponding function in 
RLD with the notable exception that not necessarily all unknowns that have 
been found unstable after the update of the value for x in p, are recursively 
solved right-away. Instead, all these unknowns are inserted into the global 
priority queue Q and then solve is only called for those unknowns x' in Q whose 
keys are less or equal than key[a:]. Since xq has received the largest key, the 
initial call solve a:o will result, upon termination, in an empty priority queue Q. 

Example 10. Consider again the infinite equation system from example 9. The 

solver SLRi, when solving for yi, will return the partial max-solution {yo i-G 0, i-G 2, y 2 i—t 2, 2/4 i—>■ 2}. 
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The modifications of the algorithm RLD to obtain algorithm SLRi allow 
us not only to prove that it is a generic local solver, but also a strong result 
concerning termination. Our main theorem is: 

Theorem 11. 1. When applied to any system of pure equations and inter¬ 

esting unknown xq, the algorithm SLRi returns a partial a-solution whose 
domain contains xq— whenever it terminates. 

2. Assume that SLRi is applied to a system of pure equations over a directed 
set D where each right-hand side is monotonic. If the operator □ is instan¬ 
tiated with S, then for any initial mapping po and interesting unknown xq, 
SLRi is guaranteed to terminate and thus always to return a partial post 
solution—whenever only finitely many unknowns are encountered. 

Proof. We first convince ourselves that, upon termination, each right-hand 
side can be considered as being evaluated atomically. For that, we notice that a 
call solve j/ will never modify the value p[x\ of an unknown x with key[a;] > key[j/]. 
During evaluation of right-hand sides, a recursive call to solve may only occur 
for an unknown y that has not been considered before, i.e., is fresh. Therefore, 
it will not affect any unknown that has been encountered earlier. From that, we 
conclude that reevaluating a right-hand side fx for p immediately after a call 
fx (evalx), will return the same value — but by a computation that does not 
change p and thus is atomic. 

In order to prove that SLRi is a local generic solver, it therefore remains 
to verify that upon termination, p is a partial D-solution with xg € dom. Since 
xo is initialized before solve xq is called, xg must be contained in dom. Upon 
termination, evaluation of no unknown is still in process and the priority queue 
is empty. All unknowns in dom \ stable are either fresh and therefore solved 
right-away, or non-fresh and then inserted into the priority queue. Therefore, 
we conclude that the equation p[x\ = p{x\ □ fx p holds for all x G dom. Further¬ 
more, the invariant for the map infl implies that upon termination, x € infl[y] 
whenever x = y ot y € dep^, p. In particular, infl is defined for y implying that 
y € dom. 
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In summary, correctness of the algorithm SLRi follows from the stated 
invariants. The invariants themselves follow by induction on the number of 
function calls. Therefore, statement 1 holds. 

For a proof of statement 2, assume that all equations are monotonic and only 
finitely many unknowns are encountered during the call solve xq ■ Let dom denote 
this set of unknowns. We proceed by induction on key values of unknowns in 
dom. First consider the unknown x € dom with minimal key value. Then for all 
mappings p and infl, the call solve a; will perform a sequence of updates to p[x\. 
In an initial segment of this sequence, the operator B behaves like U. As soon as 
the same value p[x\ or a smaller value is obtained, the operator B behaves like 
the operator n. Due to monotonicity, the remaining sequence may only consist 
of narrowing steps. By the properties of widening and narrowing operators, the 
sequence therefore must be finite. 

Now consider a call solve x for an unknown x € dom where by inductive 
hypothesis, solve y terminates for all unknowns y with smaller keys, and all 
mappings p, infl, sets stable and priority queue Q satisfy the invariants of the 
algorithm. In particular, this means that every recursive call to a fresh unknown 
terminates. 

Assume for a contradiction that the assertion were wrong and the call to 
solve X would not terminate. Then this means that the unknown x must be 
destabilized after every evaluation of fy (eval x). Upon every successive call to 
solve X, all unknowns with keys smaller than key[x] are no longer contained in 
Q and therefore are stable. Again we may deduce that the successive updates 
for p[x\ are computed by y applied to the former value of p[x\ and a new value 
provided by the right-hand side for x, until a narrowing phase starts. Then, 
however, again due to monotonicity a decreasing sequence of values for p[x\ is 
encountered where each new value now is combined with the former value by 
means of n. Due to the properties of U and n, we conclude that the iteration 
must terminate. I 
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6 . Localized H in SLR 


So far we have applied the operator S at every right-hand side. It has been 
long known for the 2-phase widening and narrowing approach, however, that 
precision can be gained by applying widening and thus also narrowing only 
at selected unknowns. These unknowns may be chosen freely, provided they 
form an admissible set, i.e. at least one unknown is selected for each loop in the 
dependence graph of the equations. When intertwining widening and narrowing 
by means of structured round-robin or worklist iteration, restricting B to an 
admissible set of widening points may, however, no longer ensure termination 
of the resulting solvers. 

Example 12 . Consider the same set of equations in the Example 2. According 
to our definition, the singleton set {X2} is admissible. Now assume that the 
B operation is performed for the unknown X2 only. With SRR we obtain the 
following sequenee of updates: 
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1 



Whenever the value for X3 inereases, X2 and xi reeeive the value x^ + l, implying 
that subsequently, X3 further inereased. A stable post-solution is never attained. 
A .similar behavior ean also be observed for SW on this example. I 

Example 12 indicates that we cannot ignore the ordering on the unknowns Xi 
when selecting the points of application for B. Therefore, we refine the notion 
of admissibility as follows. Assume that we are given a system of equations 
Xi = ei,i = 1,... ,n where sets dep(a;i) of variable dependences are explicitly 
given. Then the set W of unknowns is called an admissible set of B -points if, 
in each cycle in the dependence graph of the equations, the unknown with the 
highest index is in W. We obtain: 
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Theorem 13. Given a system of equations and an admissible set W of S-points, 
both the algorithm SRR and the algorithm SW is guaranteed to terminate when 
instantiated with □ = B , even when restricting the application of B to unknowns 
in W only. 

Proof. The proofs are similar to those for the Theorems 4 and 7, respectively. 
Here, we only consider the assertion for SW. For the base case, note that if 
xi is the only unknown, either the right hand size of xi is a constant, or it 
refers to xi itself, in which case xi is in the set of B-points. In both cases, 
SW terminates. For the inductive case, assume x„ is extracted infinitely many 
times. First assume that a;„ is contained in W. In this case, the proof proceeds 
as in Theorem 7. Now assume that Xn is not contained in IF. Then there 
is no loop containing Xn which consists of variables with index at most n. In 
particular, this means that the set {xi,... ,Xn-i} can be split into disjoint 
subsets Xi,X2, X^. Xi consists of all unknowns directly or indirectly depending 
on Xn, X2 consists of the unknowns onto which directly or indirectly depends, 
and X3 contains the remaining unknowns. As soon as Xn is evaluated for the 
first time, the evaluation of the unknowns in X2 and X3 have already terminated. 
Therefore following an update of the unknown Xn, only unknowns from Xi may 
be added to the worklist. Since none of these ever will cause Xn to be added to 
the worklist again, fixpoint iteration terminates by the inductive hypothesis. ■ 

Example 14. According to the refined definition, the set {X 2 } in Example 12 is 
no longer admissible, whereas the set {a^s} is. When restricting B to the latter 
set, we obtain: 
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00 


and the algorithm terminates. I 

In applications where dependences between unknowns may change, we cannot 
perform any pre-computation on the dependence graph between unknowns. In 
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order to convieniently deal with these nonetheless, methods are required which 
determine admissible sets of B-points on the fly. Assume that we are given an 
assignment key of unknowns to priorities which are linearly ordered. Such an 
assignment enables us to dynamically identify back-edges. Here, a back-edge 
a; —> y consists of unknowns x, y where the value of x is queried in the right- 
hand side of y where key[a:] > key[y]. Note that this does not correspond to 
the standard definition of back-edge, but we use the same terminology since 
both may be used to identify the head of loops. When a back-edge x ^ y 
is encountered, then x is the unknown with the highest priority in some loop 
and therefore should be included into the set of admissible unknowns, i.e., those 
where B is going to be applied. In all the other case, we may omit the application 
of update. The resulting improvement to the solver, as shown in Fig. 7, is called 
SLRa. 

Interestingly for our suite of benchmark programs, the algorithm SLR 2 
did not significantly improve the precision of the resulting interval analysis. 
Consider, e.g., the program in Fig. 8. The control-flow graph corresponding to 
this program is shown in Fig. 9 where each node v is marked with the priority 
assigned to v when the function solve of SLRi is called for the endpoint of 
the program for an interval analysis. We are looking for nodes that influence 
nodes with smaller priority. In the example, these are the nodes with priorities 
— 1 and —5, respectively, i.e., exactly the loop heads. After the first iteration 
for interval analysis on this program, the interval [0,0] has been established for 
the program variable i at all program points of the inner loop. Then a second 
iteration of the outer loop is performed. Even if the operator B is only applied 
at the loop heads, we obtain the interval [0, 00 ] for i at the loop head of the 
outer loop. In the subsequent iteration of the inner loop, the new interval for 
variable i at the inner loop head is [0,99]. Since the operator B is meant to 
be applied at that program point, the interval [0,0] B [0, 99] = [0, 00 ] is recorded 
for i and subsequently also propagated to all other program points of the inner 
loop, and no subsequent narrowing will take place to recover from the loss of 
the upper bound for i. 
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let rec solve x = 


wpx <!— if a; S wpoint then true else false, 
if X ^ stable then 

stable ^ stable U{x}; 
tmp if wpx 
then p[x\ g fx (eval x) 
else fx (eval x) 
if tmp ^ p{x\ then 
p[x] 4— tmp; 

W 4— if wpx then infl[x] U{x} else infl[x]; 
foreach ?/ € W do add Q y, 
infl[x] 4— 0; 
stable 4— stable \ W; 
while {Q ^ 0) A(min_key Q < key[x]) do 
solve (extract_min Q); 

end 

end 

and init y = 

as in the original SLRi 

and eval x y = 
if y ^ dom then 
init y; solve y; 

if key[x] < key[y] then wpoint 4— wpoint U{y}; 
infl[y] 4— infl[y]U{x}; 

p[y\ 


in 


wpoint 4— 0 

as in the original SLRi 


Figure 7: The algorithm SLR, 2 , which is SL^gWith plain localized widening. Colored in red 
are then changes w.r.t. SLRi. 



Figure 8: Example program with 

nested loops. Figure 9: The control-flow graph of the program. 


This kind of loss of precision is avoided if we allow the set wpoint of unknowns 
where to apply B not only to grow monotonically, but also to shrink. Our second 
idea therefore is to remove an unknown x from wpoint before the right-hand side 
of X is evaluated. The resulting algorithm SLR 3 is shown in Fig. 10. Note that 
back-edges are detected by the call eval x y which therefore may insert y into 
the set wpoint, while the unknown x is removed from wpoint inside the call solve 


Theorem 15. When applied to any system of pure equations over a directed 
set D and interesting unknown xg, the algorithm SLRg returns a post solution, 
whenever it terminates. If each right hand side is monotonic, then SLRg is 
guaranteed to terminate, whenever only finitely many unknowns are encountered. 

Proof. The considerations in the original proof for SLRi regarding atomicity 
of evaluation of right-hand sides still hold. The same is true for partial correct¬ 
ness. The only difference w.r.t. SLRi is that, upon termination, for an unknown 
X either p[x\ = p[x\ B fxP or p[x\ = fxp. In any case, p is a post-solution. 

The most interesting part is the proof of termination. So, assume that all 
right hand sides are monotonic and only finitely many unknowns are encountered 
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during the call of solve xq. Assume the algorithm does not terminate. It means 
there are unknowns x whose values p[x\ are updated infinitely many times. Let x 
denote one of these unknowns, namely the one with maximum priority. From a 
certain point in the execution of the algorithm, no fresh unknown is encountered 
and no p[y\ for an unknown y with key value exceeding key[a:] is ever updated. 

Assume we have reached this point in the execution of the algorithm. More¬ 
over, assume that x is extracted. This means that in the queue there are no 
unknowns with key value less than key [a;]. Since all unknowns with key values 
greater than key[a:] are not subject to update (hence their evaluation does not 
add elements to the queue), for x to be extracted repeatedly, the only possibility 
is that: 

1 . in solve x, we should have trap ^ p{x\\ 

2 . there is an unknown y G infl[a;] with keyjy] < key[a;], and y is put into the 
queue. 

When y is evaluated (it will happen before solve x is called again), x will be added 
to wpoint, hence wpx will always be true when evaluating solve x. However, by 
the properties of B, this means that x cannot be updated infinitely many times: 
contradiction. Therefore the algorithm terminates. I 

Let us again consider the program from Fig. 8. The solver SLR 3 iterates 
through the program points of the inner loop until stabilization before the next 
iteration on the program points of the outer loop is performed. After this 
iteration, the interval [0,0] has been established for the program variable at all 
program points of the inner loop. Since the unknown corresponding to the loop 
head of the inner loop is now stable, it is no longer contained in the set wpoint. 
Therefore, when during the next iteration of the outer loop the interval [0, 99] 
arrives for program variable i, this interval will replace the current interval 
[0,0] for i (without application of the operator b). Accordingly, the subsequent 
iteration on the inner loop will propagate this interval throughout the inner loop 
without change. Therefore no upper bound 00 for i is ever generated within the 
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let rec solve x = 

wpx ^ if a; G wpoint then true else false] 
wpoint -f- wpoint \ {x}; 
if X ^ stable then 

stable ^ stable U{x}; 
tmp ^ if wpx 
then p[x\ H fx (eval x) 
else fx (eval x) 
if tmp p\x\ then 
p[x] ^ tmp; 

W if wpx then infl[x] U{x} else infl[x]; 
foreach ?/ G W do add Q y] 
infl[x] <— 0; 
stable 4— stable \ W; 
while {Q ^ 0) A(min key Q < key[x]) do 
solve (extract_min Q); 

end 

end 

and init y = 

as in the SLRi and SLR 2 

and eval x y = 
as in the SLR 2 


in 


as in the original SLR 2 


Figure 10: The algorithm SLR 3 , which is SLR with simple localized widening. Colored in 
red are then changes w.r.t. SLR 2 . 
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i = 0; 

while (TRUE) { 

i = i +1', 

J = 0; 

while (j < 10) { 

// Inv: 1 < i < 10 

j = j +1; 

} 

if (i > 9) i = 0; 



Figure 11; Example program hybrid Figure 12: The control-flow graph for the program 
from (Halbwachs and Henry, 2012). from Fig. 11. 

inner loop. This effect is comparable to the concept of localized widening as 
proposed by Amato and Scozzari (2013). 

7. Restarting in SLR 

Besides localization of widening and narrowing, Amato and Scozzari (2013) 
present a second idea to improve precision of fixpoint iteration in presence of 
infinite increasing chains. Consider the program in Fig. 11 whose control-flow 
graph is given in Fig. 12. In this example, the program variable i takes values 
from the interval [0,10] whenever the inner loop is entered. The upper bound 
10, though, is missed both by the vanilla version of SLR as well as of SLR 
enhanced with localized placement of S. The reason is that the inner loop is 
iterated with the interval [l,oo] for i until stabilization before, triggered by a 
narrowing iteration of the outer loop, the value [ 1 , 10 ] for i arrives at the entry 
point of the inner loop. Since [1,10] U [1, oo] = [1, oo], the finite upper bound of 
i at the entry point cannot be recovered. 
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In order to improve on this and similar kinds of precision loss, Amato and 
Scozzari propose to restart the iteration for sub-programs. The restart could 
be triggered, e.g., for the body of a loop as soon as the value for the head has 
decreased. 

In the following, we indicate how this strategy may be integrated into the 
generic solver SLR 3 (see Fig. 13). The resulting algorithm requires a function 
restart. This function when called with a priority r and an unknown x, recur¬ 
sively traverses the infl[a;] and sets it to the empty set. Each found unknown y 
is added to the priority queue Q and removed from the set stable. Moreover, if 
the priority of y is less than r, then the value p[y] is reset to po[y] and restarting 
recursively proceeds with r and the unknowns from the set infl[?/]. The function 
restart then is called within the function solve for an unknown x whenever x 
is currently contained in wpoint and the new value tmp for x is less than the 
current value for x. In this case, all unknowns in the set infl[a:] are restarted 
(w.r.t. the priority of x). Otherwise, the algorithm behaves like the algorithm 
SLR 3 . 

Consider again the program from Fig. 11. As soon as narrowing the head of 
the outer loop recovers the interval [0, 9] for the program variable i, recursively 
the values for the reachable program points with lower priorities are reset to T. 
This refers to all program points in the body of the outer loop and thus also 
to the complete inner loop. Reevaluation of all these program points with the 
value [ 0 ,9] for i at the outer loop head provides us with the invariant 1 < z < 10 
throughout the inner loop. 

The algorithm will return a B-solution whenever it terminates. A guarantee, 
however, of termination is no longer possible even if right-hand sides are mono¬ 
tonic and only finitely many unknowns are visited. Intuitively, the reason is the 
following. Assume that the value for an unknown x has decreased. Then we 
might expect that restarting the iteration for lower priority unknowns results in 
a smaller next approximation for x. Due to the non-monotonicity introduced by 
widening, this need not necessarily be the case. Accordingly, we are no longer 
able to bound the number of switches between increasing and decreasing phases 
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let rec restart r y = 
add Q y, 

stable <— stable \ {y}; 
if key[y] < r then 

p[y\ ^ Po[y\ 

M ^ infl[y]; 
infl[y] ^ 0; 

foreach z € M do restart r z 

in 

let rec solve x = 

if tmp ^ p\x\ then 
if wpx Atmp C p\x\ then 
foreach z G infl[a;] U{a:} do restart key[a;] z; 

else 

W ^ if wpx then infl[a:] U{a:} else infl[x]; 
foreach y G W do add Q y; 
stable ^ stable \ W; 
infl[x] ^ 0; 
p[x\ ^ tmp; 

while (Q 7 ^ 0) A (min key Q < key[a;]) do 
solve (extract_min Q)] 


Figure 13: Parts of the solver SLR 3 with restarting. 
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for X. There are simple practical remedies for nontermination, though. We may, 
for example, bound for each unknown the number of restarts which do not lead 
to the same value or a decrease. This behaviour is somewhat different from 
the restart policy in (Amato and Scozzari, 2013) where nontermination cannot 
happen, due to the fact that the algorithm keeps trace of which (ascending or 
descending) phase is executed in a given program point, and the restart policy 
cannot transform a descending phase in an ascending phase. 

8 . Side-effecting systems of equations 

In the following, generic solving, as we have discussed in the preceding sec¬ 
tions, is extended to right-hand sides fx that not only return a value for the left- 
hand side X of the equation x = fx, but additionally may produce side-effects 
to other unknowns. This extension to equation systems, which corresponds 
to assert-statements of Prolog or Datalog programs, has been advocated in 
(Apinis et ah, 2012) for an elegant specihcation of inter-procedural analysis using 
partial contexts and flow-insensitive unknowns and thus also of multi-threaded 
programs (Seidl et ah, 2003). 

Example 16. Consider the following program. 

int < 7 = 0 ; 

void /(int b) { 

if (b) 5 = b -f 1; 

else g = —h — 1\ 

} 

int main() { 

/(I); 

.f(2); 

return 0; 

} 
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The goal is to determine a tight interval for the global program variable g. A 
flow-insensitive analysis of globals aims at computing a single interval which 
should comprise all values possibly assigned to g. Besides the initialization with 
0, this program has two assignments, one inside the call /(I), the other inside 
the call /(2). A context-sensitive analysis of the control-flow should therefore 
collect the three values 0,2,3 and combine them into the interval [0,3] for g. 
This requires to record for which contexts the function f is called. This task can 
nicely be accomplished by means of a local solver. That solver, however, has to 
be extended to deal with the contributions to global unknowns. I 

In general, several side effects may occur to the same unknown z. Over an 
arbitrary domain of values, though, it remains unclear how the multiple con¬ 
tributions to z should be combined. Therefore in this section, we assume that 
the values of unknowns are taken from a directed set D with a least element, 
which is denoted by _L. Also right-hand sides are again assumed to be pure. 
For side-effecting constraint systems this means that evaluating a right-hand 
side fx applied to functions get : A ^ D and side : A —>■ D —^ unit, consists of 
a sequence of value lookups for unknowns by means of calls to the first argu¬ 
ment function get and side effects to unknowns by means of calls to the second 
argument function side which is terminated by returning a contribution in D for 
the corresponding left-hand side. 

Subsequently, we assume that each right-hand side fx produces no side effect 
to X itself and also to each unknown z ^ x dX most one side effect. Technically, 
the right-hand side fx of x with side effects can be considered as a succinct 
representation of a function fx that takes a mapping p and does not return just 
a single value, but again another mapping p' where p' [x] equals the return value 
computed by fx for get = p, and for z ^ x, p'[z\ = d \i during evaluation of 
fx get side, side is called for z and d. Otherwise, i.e., if no side effect occurs 
to z, p'[z] = T. A post solution of a system x = fx,x G X, of equations with 
side effects then is a mapping p : A —>■ D such that for every x G X, p A fx p. A 
partial post solution with domain dom C A is a mapping p : dom -G ID such that 
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for every x € dom, evaluation of for p accesses only unknowns in dom and 
also produces side effects only to unknowns in dom; moreover, p ^ fxp where 
p is the total variable assignment obtained from p by setting p\y\ ■(— _L for all 
y ^ dom. 

In the following, we present a side-effecting variant SLR^ of the algorithm 
SLRi from section 5 that for such systems returns a partial Osolution—whenever 
it terminates. Moreover, the enhanced solver SLR^ is guaranteed to terminate 
whenever all right-hand sides fx are monotonic, i.e., the functions fx all are 
monotonic. 


Example 17. Consider again the analysis of example 16. The contributions to 
the global program variable g by different contexts may well be combined individ¬ 
ually by widening to the current value of the global. When it comes to narrowing, 
though, an individual combination may no longer be sound. Therefore, the ex¬ 
tension of the local solver SLRi should collect all occurring contributions into 
a set, and use the joint value of all these to possibly improve the value of g. ■ 

Conceptually, the algorithm SLRj'^ therefore creates for each side effect to 
unknown z inside the right-hand side of x, a fresh unknown {x, z) which receives 
that single value during evaluation of the right-hand side fx. Furthermore, the 
algorithm maintains for every unknown z an auxiliary set set[z] which consists 
of all unknowns x whose right-hand sides may possibly contribute to the value 
of z by means of side effects. Accordingly, the original system of side-effecting 
equations is (implicitly) transformed in the following way: 

1. Inside a right-hand side fx, the side effect sidezd is implicitly replaced 
with 

side {x, z) d 

while additionally, x is added to the set set[z]. 

2. The new right-hand side for an unknown x is extended with a least upper 
bound of all {z,x), z € set[a;]. 
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The B-operator is applied whenever the return value of the new right-hand side 
for X is combined with the previous value of x. Let us now list the required 
modifications of the algorithm SLRi. 

First, the function inity is extended with an extra initialization of the set 
set[?/] with 0. The function eval remains unchanged. Additionally, a function 
side is required for realizing the side-effects during an evaluation of a right-hand 
side. As eval, the function side also receives the left-hand side of the equation 
under consideration as its first argument. We define: 

side X y d = if {x,y) ^ dom then 

p[{x.y)] ^ -L; 

\f d =/= p[{x,y)] then 

p[{x,y)] d] 

if y G dom then 

set[y] G- set[y] U{a;}; 

stable stable \ {y}; 

add Q y 
else 
init y; 

set[y] ^ {a;}; 
solve y 

end 

end 

When called with x, y, d, the function side first initializes the unknown {x, y) 
if it is not yet contained in dom. If the new value is different from the old 
value of p for {x,y), p[{x,y)] is updated. Subsequently, the set set[y] receives 
the unknown x, and the unknown y is triggered for reevaluation. If y has not 
yet been encountered, y is initialized, set[y] is set to {x}, and solvey is called. 
Otherwise, x is only added to set[y], and y is scheduled for re-evaluation by 
destabilizing y first and then inserting y into the priority queue Q. 
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The third modification concerns the procedure solve. There, the call of the 
right-hand side fx now receives side a: as a second argument and additionally 
evaluates all unknowns collected in set[a;]. The corresponding new line reads: 

tmp p[x\ a {fx (eval x) (sidex) U lJ{p[(- 2 ^j ^)] I 2 €set[x]}); 

Example 18. Consider again interval analysis for the program from example 
16. Concerning the global program variable g, the initialization g = Q is deteeted 
first, resulting in the value p[g] = [0,0]. Then g is scheduled for reevaluation. 
This occurs immediately, resulting in no further change. Then the calls /(I), /(2) 
are analyzed, the side effects of 2 and 3 are recorded and g is rescheduled for 
evaluation. When that happens, the value p[g] is increased to 

[0,0] a [0,3] = [0,0] u [0,3] = [0, oo] 

if the standard widening for intervals is applied. Since p[g] has changed, z again 
is scheduled for evaluation resulting in the value 

[0, oo] a [0,3] = [0, oo] n [0,3] = [0,3] 

Further evaluation of g will not change this result any more. I 

Analogously to theorem 11 from the last section, we obtain: 

Theorem 19. 1. When applied to any system of pure equations with side 

effects and interesting unknown xo, the algorithm SLR]'' returns a partial 
post solution—whenever it terminates. 

2. Assume that SLR]'’ is applied to a system of pure equations over a directed 
set ID) with bottom, where each right-hand side is monotonic. Moreover, 
assume that the U operator is monotonic as well. Then for any initial 
mapping pQ and interesting unknown xq, SLR^ is guaranteed to terminate 
and thus always to return a partial post solution—whenever only finitely 
many unknowns are encountered and side effects of low priority variables ’ 
right-hand sides always refer to higher priority variables. 
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Note that in the proof of termination we also require the upper bound operator 
U to be monotone. The property trivially holds when D is a join semi-lattice 
and U is the least upper bound. However, there are some abstract domains 
which are not join semi-lattices, such as zonotopes (Goubault et ah, 2012) or 
parallelotopes (Amato and Scozzari, 2012). 

The proof of theorem 19 is analogous to the proof of theorem 11. It is worth¬ 
while noting, though, that the argument there breaks down if the assumption 
on the priorities in side-effects is not met: in that case, any re-evaluation of a 
high-priority variable x may have another effect onto a low-priority variable y — 
even if x does not change. No guarantee therefore can be given that the overall 
sequence of values for y will eventually become stable. If on the other hand, the 
side-effected variable y has priority greater than x, at re-evaluation time of y, 
the evaluation of x has already terminated where only the final contributions 
to y are taken into account. Since only hnitely many such contributions are 
possible, the algorithm is overall guaranteed to terminate. 

The extra condition on the side effects incurred during fixpoint computation 
is indeed crucial for enforcing termination — as can be seen from the following 
example. 

Example 20. Consider the following program: 

int 5 = 0; 

int main() { 

5 = 5 + 1 ; 

return 0; 

} 

where the global is meant to be analyzed flow-insensitively. Consider an interval 
analysis by means of solver SLRl, and assume that the unknown for the global 
g has lesser priority than the unknown for the endpoint of the assignment to 
g. The first side effeet to g is the interval [1,1] resulting in the new value [0,1] 
which is combined with the old value [0, 0] by means of S and then again by 
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means of B . Since 

([0,0]B[0,1])B[0,1] = [0,(X)]B[0,1] = [0,1] 

the widening is immediately compensated by the consecutive narrowing. The 
same phenomenon occurs at every successive update of the value for g, implying 
that SLRi will not terminate. 

The solver SLRi behaves differently if the priority of the unknown for g 
exceeds the priority of the unknown for the endpoint of the assignment. In this 
case after the first application ofB at g, the assignment is processed again. Since 
the first application of B behaves like a widening, this means that the second side 
effect to g is with the interval [l,cx)]. Accordingly, the following recomputation 
of the new value for g will be 

[0, cx)] B ([0, 0] U [1, cx)]) = [0, oo] B [0, cx)] = [0, cx)] 
and the fixpoint computation terminates.U 

In practical applications where the side-effected unknowns correspond to glob- 
als, the extra condition on priorities in theorem 19 can be enforced, e.g., by 
ensuring that the initializers of globals are always analyzed before the call to 
the procedure main. 

Theorem 19 only discusses the extension of the base version of the algorithm 
SLRi to systems of equations with side effects. A similar extension is also 
possible to the solvers with localized application of B. In order to ensure termi¬ 
nation also in this case, however, we additionally must insert every side-effected 
unknown into the set wpoint of unknowns where the operation B is to be applied. 
For the side-effecting version of SLR 3 , we therefore define: 
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side X y d = wpoint ^ wpoint U {y}; 
if {x,y) ^ dom then 

p[{x,y)] ^ ±; 
if d p[{x,y)] then 

p[{x,y)\ ^ d\ 

if y € dom then 

set[y] ^ set[y] U{a:}; 
stable ^ stable \ {y}; 
add Q y 
else 
init y, 

set[y] ^ {a;}; 
solve y 

end 

end 

With this dehnition, termination of the algorithm SLR^ can be guaranteed 
under the same assumptions as for the algorithm SLR^. 

9. Experimental evaluation 

We have implemented the various generic local solvers and included into 
the analyzer Goblint for multi-threaded C programs. Goblint uses CIL as 
C front-end (Necula et ah, 2002) and is written in OCaml. The tests were 
performed on 2.7GHz Intel Core i7 laptop, with 8GB DDRS RAM, running OS 
X 10.9. 

In a first series of experiments we tried to clarify the increase of precision 
possibly attained by means of the various B-solvers w.r.t. the standard two-phase 
solving using widening and narrowing according to (Cousot and Cousot, 1976). 
For these experiments, we used the benchmark suite^ from the Mardalen WCET 


^available at www.mrtc.mdh.se/projects/wcet/benchmarks.html 
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100% 



Figure 14: The relative improvement of SLRi over two-phase solving. 


research group (Gustafsson et ah, 2010) which collects a series of interesting 
small examples for WCET analysis, varying in size from about 40 lines to 4000 
lines of code. This benchmark suite we have extended by four tricky programs 
from (Amato and Scozzari, 2013): a) hh.c, b) hybrid.c, c) nested.c, and 
d) nested2. c. On top of standard analyses of pointers, we performed an interval 
analysis. Opposed to the preliminary experiments in (Apinis et ah, 2013), we 
now use an interval analysis which soundly approximates 32bit integers with 
wrap-around semantics. For widening, this means that the operator widens 
the lower and upper bounds first to minint and maxint, respectively, and, if an 
underflow or overflow cannot be excluded, also the corresponding upper and 
lower bounds. In order to enable two-phase solving, we performed context- 
insensitive analysis only. 

Within this setting, we determined the precision achieved by the B-solvers 
compared to the corresponding solver which realizes a distinct widening phase, 
followed by a distinct narrowing phase. The results of this comparison is dis¬ 
played in figs. 14, 15, 16, and 17. Fig. 14 reports the percentage of program 
points where solver SLRi returns better results than two-phase solving. In the 
vast majority of cases, SLRi returned significantly better results—supporting 
the claim that B-solving may improve the precision. 
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Figure 15: The relative improvement of SLR 2 over SLRi. 



Figure 16: The relative improvement of SLR 3 over SLR 2 . 
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Figure 17: Comparison of SLR 4 with SLR 3 indicating the percentage of program points 
where the results are incomparable (brown), better (blue) or worse (red). 


Fig. 15 reports the percentage of program points where an improvement 
over SLRi can be achieved if the operator B only is applied at widening points, 
as implemented by solver SLR 2 . Here, our experiments show that, at least 
for the given simple form of interval analysis, an improvement can only be 
observed for very few example. The reason might be that, applying narrowing, 
intertwined with widening can quite often recover some of the precision lost by 
the superfluous widenings. 

Fig. 16 then reports the relative further improvement when additionally 
widening points can dynamically be removed during solving. In 15 of 37 cases, 
we again obtain an improvement, in some cases even for over 70% of program 
points! This strategy therefore seems highly recommendable to achieve good 
precision. 

Fig. 17 finally explores the impact of restarting. Here, the picture is not so 
clear. For the second benchmark, restarting resulted even in a loss of precision 
for a small fraction of program points, while still for a larger fraction improve¬ 
ments were obtained. In two further benchmarks, program points with incom¬ 
parable results where found. For benchmark program 3, these make up about 
4% of the program points, while for program 7, the fraction goes even up to 31%. 
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Figure 18: Context sensitive interval analysis of SpecCpu2006 programs. 

In principle such a behavior is not surprising, considering the non-monotonicity 
of widening. Still, for two more example programs, drastic improvements are 
found. One of these comes from the WCET benchmark suite, while the other 
has been provided in (Amato and Scozzari, 2013), admittedly, as an example 
where restarting is beneficial. 

In a second experiment, we explored the relative efficiencies of our implemen¬ 
tation of the generic local g-solvers. For that, we performed interval analysis 
where local variables are analyzed depending on a calling context which in¬ 
cludes all non-interval values of locals, while the values of globals are analyzed 
flow-insensitively. Such kind of analysis cannot be performed by the two-phase 
approach, since right-hand sides are not monotonic and the sets of contexts and 
thus also the sets of unknowns encountered during the widening and narrowing 
phases may vary. 
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This type of analysis, we tried for all benchmarks from the SpecCpu2006 
benchmark suite which can be handled by the C front-end CIL used in our 
analyzer. The set of selected benchmarks consist of seven programs in the 
range of 1 to 33 kloc, 400.perlbench with 175 kloc, and 445.gobmk with 412 
kloc of C code. The results for the side-effecting versions of SLRi to SLR 4 
are reported in fig. 18 where the numbers of evaluations of right-hand sides are 
displayed on a logarithmic scale. For a comparison we also included the numbers 
of evaluations if the solver SLR^ uses plain widening instead of B . 

The analysis of the seven smaller programs could be handled in less than 
13 seconds. The large program 400 .perlbench (175 kloc of C code) could be 
handled by our solvers — but with running times between 18 minutes (using 
SLRj^) and 4 hours (using SLR^), while context-sensitive analysis did not 
terminate for the largest benchmark 445. gobmk ( 412 kloc) within 5 hours. 

The first observation is that SLR)'" is only marginally slowed down, if widen¬ 
ing is enhanced to B, i.e., narrowing is added. The second observation is that 
the efficiency of fixpoint computation is greatly improved when restricting the 
application of B to widening points. Improvements of about 30% could consis¬ 
tently be obtained. For the large program 400.perlbench, the speedup even 
was by a factor of 3. Enhancing solver SLR^ to solver SLR)^, on the other 
hand, which comes with a significant improvement in precision, additionally re¬ 
sults in another slight reduction of the number of evaluated right-hand sides. 
To us, these numbers came at a surprise, since even in those scenarios where we 
could theoretically establish termination of the algorithms, we expected dras¬ 
tically worse running times of iteration with B when compared with iteration 
with widening alone. 

Restarting, finally, adds another dimension of potential inefficiency to fix- 
point iteration. Yet, our numbers for SLR^^ on the benchmark suite show that 
the practical slowdown over the fastest solver SLR;^ is in many cases still better 
than solving with STR)*" with widening alone. For the programs 458. s j eng and 
400.perlbench, however, SLR^ is slower by a factor of 5 and 14, respectively. 
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In summary, the B-solver SLR;^ turns out to be a robust algorithm with 
decent run-times. Interestingly, the increase in precision over plain widening 
as well as over B-solving by means of SLRf, is not penalized by means of a 
slowdown, but is combined with a significant speedup. The new solver allows to 
significantly improve precision over the two-phase widening/narrowing approach 
and also is successfully applicable in more general analysis scenarios, where the 
two-phase approach was not applicable. 

10. Related work 

Numerous attempts have been made to face the problem of the loss of preci¬ 
sion introduced by widening operators. Some authors propose to avoid widening 
and compute a fixpoint of the Kleene iteration by using strategy/policy itera¬ 
tion (Costan et ah, 2005; Gawlitza and Seidl, 2011) or acceleration operators 
(Gonnord and Halbwachs, 2006), but these methods are applicable only to spe¬ 
cific abstract domains or under syntactical restrictions to the program syntax. 
In contrast, our approach is generally applicable, independently from the choice 
of the abstract domain and operators used in the analysis or syntactical restric¬ 
tions. 

Another domain-independent approach is to design enhanced widening op¬ 
erators such as delayed widening, widening with threshold (Blanchet et ah, 
2003), widening with landmarks (Simon and King, 2006) and lookahead widen¬ 
ing (Gopan and Reps, 2006). These may work in some specific settings and 
abstract domains, but still may benefit from an accompanying narrowing itera¬ 
tion. These kinds of enhancements are orthogonal to our approach. They may 
be plugged into the B-operator, and thus be used together with our fixpoint 
algorithms. 

Due to the presence of widening operators, it has been observed that the en¬ 
tire analysis fails to be monotonic. Therefore, selecting a different starting point 
of the analysis, other than the bottom of the abstract domain, may improve the 
overall result. In practice, this has been exploited by different techniques, which 
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all have in common the idea to repeat the entire analysis multiple times with 
some variations, and afterwards combine the results. The proposal of Halb- 
wachs and Henry (2012) is to iterate the analysis starting from a different initial 
value. After each widening/narrowing phase, the result is perturbed in order 
to get a new value to restart the widening/narrowing phase. The intersection 
of all the obtained results is guaranteed to be a post-fixpoint. There are sev¬ 
eral approaches to choose the perturbation, but only the simplest one has been 
implemented so far. In (Amato and Scozzari, 2013), experimental evidence is 
provided that localized widening with a standard separated narrowing is com¬ 
petitive with respect to this approach. Note that SLR 2 generalizes the ideas 
of Amato and Scozzari (2013). Gopan and Reps’ guided static analysis (Gopan 
and Reps, 2007) applies a standard program analysis to a sequence of program 
restrictions. Each restriction is analyzed starting from the result of the previ¬ 
ous restrictions, until the original program is analyzed. Moreover, Henry et al. 
(2012a) enhance guided static analysis by combining it with path-focusing (Mon- 
niaux and Gonnord, 2011), in order to avoid merging infeasible paths and find 
precise disjunctive invariants. Amato and Scozzari (2013) give some evidence, 
though, that guided static analysis does not help in those cases where localized 
widening and intertwined widening and narrowing are beneficial. Monniaux 
and Le Guen’s stratified static analysis by variable dependency (Monniaux and 
Guen, 2011) is similar to guided static analysis in that successive approxima¬ 
tions of the program are considered, where later approximations consider more 
variables than former ones. The result of one approximation is used within the 
successive approximations to improve the results. 

These techniques treat the equation solver as a black box, and try to execute 
different analyses to improve the result. In this sense, they are orthogonal 
to our engineering of fixpoint algorithms and therefore may benefit from our 
improvements. In particular, the combination with static guided analysis seems 
promising. 
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11. Conclusion 


We have presented a generic combination of widening and narrowing into a 
single operator B and systematically explored solver algorithms which, when in¬ 
stantiated with B will solve general systems of equations. Perhaps surprisingly, 
standard versions of fixpoint algorithms, when enhanced with B, may fail to ter¬ 
minate even for finite systems of monotonic equations. Therefore, we presented 
variants of round-robin iteration, of ordinary worklist iteration as well as of 
recursive local solving with and without side effects where for monotonic equa¬ 
tions and hnitely many unknowns, termination can be guaranteed whenever only 
finitely many unknowns are encountered, and side-effects are to higher-priority 
unknowns only. In order to enforce termination, we assigned static priorities to 
the unknowns of the system. In order to construct generic solvers for arbitrary 
systems of equations, we heavily relied on self-observation of the solvers. Thus, 
we assign the priorities in the ordering in which the unknowns are encountered. 
We let the fixpoint iterator itself determine the dependencies between unknowns. 
Together with the static priorities, also the places where to apply the operator 
B are dynamically determined. 

It has not been clear before-hand, though, how well the resulting algorithms 
behave for real-world program analyses. In order to explore this question, we 
have provided an implementation within the analysis framework Goblint. In 
our experimental set-up, we considered inter-procedural interval analysis where 
the monotonicity assumption is not necessarily met. Our experiments conhrm 
that fixpoint iteration based on the combined operator B still terminates and 
may increase precision considerably. This holds true already for the local solver 
SLR^ which has been presented in (Apinis et ah, 2013). Beyond that, we 
demonstrated that the add-on of localizing B operators increases precision fur¬ 
ther, while efficiency is improved at the same time. An equally clear picture 
could not be identified for the extra optimization of restarting. While we found 
improvements in selected cases and generally still an acceptable efficiency, we 
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also found exceptional cases where a (minor) loss of precision occurs at some 
program points or where the performance is degraded considerably. 

At the end, we think that the two most important benefits of using the 
B-operator are: 

• the increase in precision w.r.t. standard analysis with separate widening 
and narrowing phases; 

• simpler implementation of solvers w.r.t. other solutions with separate and 
(especially) interleaved widening and narrowing phases (compare, for ex¬ 
ample, the complexity of the solver based on localized narrowing in (Am¬ 
ato and Scozzari, 2013) with the solver SRR). 

Our experiments were performed for standard interval analysis with the ob¬ 
vious widening and narrowing operators. It remains for future work to explore 
how well our methods work also for other domains and for more sophisticated 
widening and narrowing operators. 
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Some notes on localized widening and 
hierarchical orderings 


No Author Given 
No Institute Given 


1 Localized widening in SLR 

Localized widening, in its original definition, works by separating, at a widen¬ 
ing point, the contributions coming from back-edges from those coming from 
forward-edges. Generally, back-edges and widening points are detected by using 
an ordering relation defined over unknowns. 

In particular, in the standard settings from [?], given an ordering < on vari¬ 
able unknows, a back-edge is an edge x ^ y such that y < x (a better name 
would be retreating edge, but we will stick with back-edge for now). In this case, 
j/ is a potential widening point (we do not need to take all potential widening 
points as such, although most analyzers actually do). 

Gonsider now the case of SLR. In the original formulation given in the paper, 
all unknowns are widening points (actually box point). In the implementation, 
however, there is an optimization: a variable a; is a widening point iff there is an 
y dependent from x such that key[?/] < key[a:]. Using the previous notation, this 
means that a; is a widening point iff there is a back-edge x ^ y starting from x. 
Therefore, widening points in SLR are the sources of back-edges, instead of the 
targets of back-edges. 

This means that, if we want to implement localized widening, we need to 
find different ways to recognize “back contributions” (whatever this means). I 
see only two different approaches: 

1. identify “real back-edges” pointing to widening nodes, and continue to apply 
localization in the standard way. If I am not wrong, this is what Kalmer is 
trying to do, using pre-dominators or call-sets to identify real back-edges. 
My only concern is whether applying localization in this way ensures termi¬ 
nation; 

2. change the way localization is applied. 

Let me talk about point two. In SLR, if a; is a widening point, x ^ y and 
key[?/] < key [a;] (i.e., a; —>■ y is not a back-edge), we are sure that every loop 
X ^ y ^ X passes for a widening point different from x. Therefore, 

as long as no back-edge starting from x is followed, we may avoid to perform 
widening at point x. This is the idea I pursued in my “simple localized widening” 
implementation. 


1.1 Simple localized widening with SLR 

In Figured] you find the code of SLR with localization. We have the following: 

Theorem 1. When applied to any system of pure equations over a join semi¬ 
lattice D and interesting unknown xq, the algorithm SLRLW returns a post 
solution, whenever it terminates. If each right hand side is monotonic, then 
SLRLW is guaranteed to terminate, whenever only finitely many unknowns are 
encountered. 

Proof. The considerations in the original proof for SLR regarding atomicity of 
evaluation of right-hand sides still hold. The same is true for partial correctness. 
The only difference w.r.t. SLR is that, upon termination, for a variable x either 
p[x\ = p[x\ B f,„p or p[x\ = fxp. In any case, p is a post-solution0 

The most interesting part is the proof of termination. So, assume all right 
hand sides are monotonic and only finitely many unknowns are encountered 
during the call of solve xq. Assume the algorithm does not terminate. It means 
there are unknowns x whose value p[x\ is updated infinitely many times. Let x 
one of such unknowns, namely the one with maximum priority. From a certain 
point in the execution of the algorithm, no fresh variable is encountered and no 
p[y] for a variable y with priority bigger than x is ever updated. 

Assume we have reached this point in the execution of the algorithm. More¬ 
over, assume that x is extracted. This means that in the queue there are not 
variable y with priority less than y. Since all variable with priorities greater than 
X are not subject to update (hence their evaluation does not add elements to 
the queue), but x should be extracted again, the only possibility is that: 

1. in solve x should be tmp p[x\-, 

2. there is y € infija:] with key[j/] < key[a:], and y is put in the queue. 

When y is evaluated (it will happen before solve x is called again), x will be added 
to wpoint, hence wpx will always be true when evaluating solve x. However, by 
properties of B, this means that x cannot be updated infinitely many times, 
which is an absurd. Therefore the algorithm terminates. 


2 Box-based solvers and weak topological orderings 

In this section, we want to adapt the algorithms in [?] with the support for weak 
topological orderings instead of only variable priorities. First of all, we recall 
what is a weak topological orderings in our setting. 

Definition 1 (Hierarchical ordering [?]). A hierarchical ordering of a set S 

is a well-parenthesized permutation of this set without two consecutive “(”. 

^ The symbol B denotes exactly the same operator defined in the PLDI paper, I just 
don’t know how to generate the correct symbol in lAlFiX. 



let rec solve x = 

wpx •<— if X G wpoint then true else false ; 
wpoint wpoint \ {x}; 
if stable then 

stable •<— stable U {x} 
tmp ■«— if wpx 

then p[x\ B /^^(evala:) 
else fx{eYa\x)', 
i f tmp 7^ p[x\ then 
W ^ infl [x] ; 
p[x\ •<— tmp; 

1 n f 1 [ X ] ■«— X ; 

stable ■«— stable \ W; 
while (Q 7^ 0 ) A {minjtey Q < key[a:]) do 
solve (extract_min Q) ; 

end 

end 

and init y = 

os in te original SLR 

and eval x y = 
if y ^ dom then 
init y; solve y; 

end 

if key [x] <= key[y] then wpoint ■<— wpoint U {y} ; 
infl [y] -f- infl [y] U {x}; 

p[y] 


in 

wpoint \emptyset 
os in the original SLR 

Fig. 1. The algorithm SLRLW, which is SLR with simple localized widening. Colored 
in red are then changes w.r.t. SLR. 


In other words, a hierarchical ordering is a string over the alphabet S aug¬ 
mented with left and right parenthesis. The elements between two matching 
parentheses are called a component and the first element of a component is 
called the head. The set of heads of the components containing the element I is 
denoted by 

Example 1. Two hierarchical ordering for S = {1,..., 10} are 123456789 10 
and 1 (2 3 5 (6 7 9) 8 10) 4. In the second ordering, the heads are 2 and 6 and 
we have lu{4) = 0, a;(5) = {2} and lu(J) = {2, 7}. 

A hierarchical ordering induces a total ordering, that we denote by cor¬ 
responding to the permutation of the elements. 

Now consider a set of data-flow equations. For each unknown x we dehne 
dep,j, according to [?]. 

Definition 2 (Weak topological ordering [?]). A weak topological ordering 
of a system of data-flow equations is a hierarchical ordering of its unknowns such 
that, if u G dep„ either u ^ v or v u and v G oj(u). H 

Example 2. Consider this system of data-flow equations: 

xi = [0,0] X Z 

X2 = XiV Xio 

X3 = X2 A ([—oo, 9] X Z) 

X 4 . = X 2 A ([10, oo] X Z) 

X5 = first{x 3 ) X [0,0] 

Xe = XsV Xg 

xr = xq A {Z X [—oo, 9]) 
xs = xq A {Z X [10, oo]) 

Xg = X 7 -\- ([0,0] X [1,1]) 

Xio = xs-\- ([1,1] X [0,0]) 

A possible w.t.o. for such a system is: Xi {x 2 X 3 X 5 (xe X 7 xg) xg xio) X 4 . 

In the algorithms to come, we will need the following operators on hierarchical 
orderings. 

Definition 3. Given a hierarchical ordering A for a set S, we define: 

— head^(i) is true if i is an head, i.e., if i G false otherwise 

— nextinc-<(i) is the next element of i if there is no symbol ) between them, it 
is T otherwise 

— next-<(i) is the next element of i if it exists, T otherwise 

^ In [?], the first condition was u < v t\v ^ lu{u). However, the second conjunct is 
implied by the first one. 



^ if i precedes an head element j, skip_.(z), returns the element after the inner 
component which starts at j and within the same component ofi, if it exists. 
It is _L otherwise. 

We omit ^ from the subscripts of head, nextinc, next and skip when it is clear 
from the context. 

Example 3. On the w.t.o. given in Example[21 we have next(a;i) = X 2 , next(xi) = 
Xi+i for each i < 10, next(a;io) = -L- Moreover, nextinc is defined as next, with 
the difference that nextinc(a; 9 ) = nextinc(a;io) = -L- Finally skip(a;i) = X 4 and 
skip(a;5) = xs. 

Example f. For the h.o. 1 2 (3 (4 5)) 6 we have skip(2) = 6 and skip(3) = _L, 
since there is no element after (4 5) which is in the same component as 3. 

2.1 First algorithms 

We first define al algorithm which implements a recursive iteration strategy. The 
main idea of the recursive strategy is that inner components do stabilize before 
outer components. Figure [2] contains the source of the algorithm. 


void solve(i) { 
if ( i^=_L) return 
if (not (head i )) { 
p{xi) <- fip 
solve (next i) 

} else { 

p{xi) -i- p{xi)Ufip 
do { 

old -f— p{xi) 
solve (next i) 
p{xi) ^ p{xi)Ufip 
} while {p{xi) old) 
solve (skip i) 

} 

} 

Fig. 2. The algorithm REC which performs a recursive iteration strategy. 


Given a set of data-flow equations with unknowns xi,... ,x„, consider the 
w.t.o. Xn (x„_i( • • • (xi(xo)) ■ • •)) where all parenthesis close at the end. Then 
head(j) is always true and skip(i) is always T. The order that data-flow equations 
are considered in Algorithm 1 is almost the same order followed by the RR 
algorithm, with the difference that we always perform an update of p{xi) before 
solving for Xi-i. 


